https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Content_Spoofing&feed=atom&action=historyOWASP Periodic Table of Vulnerabilities - Content Spoofing - Revision history2024-03-28T12:19:04ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Content_Spoofing&diff=163429&oldid=prevJames Landis at 23:46, 15 November 20132013-11-15T23:46:49Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 23:46, 15 November 2013</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l32" >Line 32:</td>
<td colspan="2" class="diff-lineno">Line 32:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Discussion / Controversy ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Discussion / Controversy ===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Some argue that the information leakage risk of replying with 404 for missing content vs. 200 for actual content is significant. Replying with 200 for everything may have SEO implications.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Some argue that the information leakage risk of replying with 404 for missing content vs. 200 for actual content is significant. Replying with 200 for everything may have SEO implications<ins class="diffchange diffchange-inline">. URL Content spoofing risk may not be clearly defined enough to show need for standards-based solution</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== References ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== References ===</div></td></tr>
</table>James Landishttps://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Content_Spoofing&diff=151713&oldid=prevJames Landis: Created page with "Return to Periodic Table Working View == Content Spoofing == === Root Cause Summary === The ap..."2013-05-15T21:21:31Z<p>Created page with "<a href="/index.php/OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities" title="OWASP Periodic Table of Vulnerabilities">Return to Periodic Table Working View</a> == Content Spoofing == === Root Cause Summary === The ap..."</p>
<p><b>New page</b></p><div>[[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]]<br />
<br />
== Content Spoofing ==<br />
<br />
=== Root Cause Summary ===<br />
<br />
The application displays user-defined content in the URL or page body in a way that makes it appear to be legitimate site content.<br />
<br />
=== Browser / Standards Solution ===<br />
<br />
Define a new 40X status code that can be used instead of the current strategy employed by many sites of using a 200 response code for missing content or a 30x redirect, which is handled in the following way:<br />
<br />
* The URL bar is overwritten with the contents of the Location header, which is restricted to a URL from the same origin as the original request.<br />
* The response body specified by the server is displayed. If not specified, the browser substitutes a generic 404 page.<br />
<br />
=== Perimeter Solution ===<br />
<br />
None<br />
<br />
=== Generic Framework Solution ===<br />
<br />
None<br />
<br />
=== Custom Framework Solution ===<br />
<br />
The framework must clearly segregate user-defined content from site-defined content.<br />
<br />
=== Custom Code Solution ===<br />
<br />
None<br />
<br />
=== Discussion / Controversy ===<br />
<br />
Some argue that the information leakage risk of replying with 404 for missing content vs. 200 for actual content is significant. Replying with 200 for everything may have SEO implications.<br />
<br />
=== References ===<br />
<br />
[[Content_Spoofing| Content Spoofing]]<BR><br />
[http://projects.webappsec.org/w/page/13246917/Content%20Spoofing Content Spoofing (WASC)]</div>James Landis